[erlang-questions] ssl psk since 20.3 failed
Ingela Andin
ingela.andin@REDACTED
Fri Sep 7 22:54:02 CEST 2018
No problem :) I will include it in OTP-21.1 except rsa_psk uses certs so I
removed the last one again.
Have also tweaked the test cases so that this is test correctly.
Regards Ingela Erlang/OTP team - Ericsson AB
Den tors 6 sep. 2018 kl 15:41 skrev Ingela Andin <ingela.andin@REDACTED>:
>
>
> Humm ... I believe the this was broken by PR-1729, the solution feels
> familiar. I hope that the following patch covers all the cases.
>
> diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
> index 63996f5..4fbf463 100644
> --- a/lib/ssl/src/ssl_handshake.erl
> +++ b/lib/ssl/src/ssl_handshake.erl
> @@ -1056,7 +1056,10 @@ select_curve(undefined, _, _) ->
> select_hashsign(_, _, KeyExAlgo, _, _Version) when KeyExAlgo == dh_anon;
> KeyExAlgo == ecdh_anon;
> KeyExAlgo == srp_anon;
> - KeyExAlgo == psk ->
> + KeyExAlgo == psk;
> + KeyExAlgo == dhe_psk;
> + KeyExAlgo == ecdhe_psk;
> + KeyExAlgo == rsa_psk ->
> {null, anon};
> %% The signature_algorithms extension was introduced with TLS 1.2. Ignore
> it if we have
> %% negotiated a lower version.
>
>
> Regards Ingela Erlang/OTP team - Ericsson AB
>
>
>
>
> Den ons 5 sep. 2018 kl 23:00 skrev Oliver Bollmann <
> oliver.bollmann@REDACTED>:
>
>> This works with 20.2.2 but since 20.3(21.x) it doesn't!
>>
>> Error in process <0.79.0> with exit value:
>> {{badmatch,{error,{tls_alert,"handshake failure"}}},
>> [{client_server,init_connect,1,[{file,"client_server.erl"},{line,37}]}]}
>>
>> Any hints?
>>
>> -module(client_server).%%% Purpose: Example of SSL client and server using psk.-export([start/0, init_connect/1]).start() ->
>> %% Start ssl application {ok, StartedApps} = application:ensure_all_started(ssl),
>>
>> %% Let the current process be the server that listens and accepts %% Listen {ok, LSock} = ssl:listen(0, mk_opts(listen)),
>> {ok, {_, LPort}} = ssl:sockname(LSock),
>> io:fwrite("Listen: port = ~w.~n", [LPort]),
>>
>> %% Spawn the client process that connects to the server spawn(?MODULE, init_connect, [LPort]),
>>
>> %% Accept {ok, ASock} = ssl:transport_accept(LSock),
>> ok = ssl:ssl_accept(ASock),
>> io:fwrite("Accept: accepted.~n"),
>> ssl:send(ASock, "hello"),
>> {error, closed} = ssl:recv(ASock, 0),
>> io:fwrite("Accept: detected closed.~n"),
>> ssl:close(ASock),
>> io:fwrite("Listen: closing and terminating.~n"),
>> ssl:close(LSock),
>>
>> lists:foreach(fun application:stop/1, lists:reverse(StartedApps)).%% Client connectinit_connect(LPort) ->
>> {ok, Host} = inet:gethostname(),
>> {ok, CSock} = ssl:connect(Host, LPort, mk_opts(connect)),
>> io:fwrite("Connect: connected.~n"),
>> {ok, Data} = ssl:recv(CSock, 0),
>> io:fwrite("Connect: got data: ~p~n", [Data]),
>> io:fwrite("Connect: closing and terminating.~n"),
>> ssl:close(CSock).mk_opts(listen) ->
>> mk_opts("server");
>> mk_opts(connect) ->
>> mk_opts("client");
>> mk_opts(Role) ->
>> [{active, false},
>> {psk_identity,Role},
>> {user_lookup_fun,{fun lookup/3,list_to_binary(Role)}},
>> {versions,['tlsv1.2']},
>> {ciphers, [{dhe_psk,aes_256_gcm,null,sha384}
>> ]}
>> ].lookup(psk,_,_) -> {ok,<<"psk">>}.
>>
>> --
>> Grüße
>> Oliver Bollmann
>>
>> _______________________________________________
>> erlang-questions mailing list
>> erlang-questions@REDACTED
>> http://erlang.org/mailman/listinfo/erlang-questions
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20180907/b32e1b30/attachment.htm>
More information about the erlang-questions
mailing list